20:00:42 <redrobot> #startmeeting barbican 20:00:42 <openstack> Meeting started Mon Nov 9 20:00:42 2015 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:43 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:46 <openstack> The meeting name has been set to 'barbican' 20:01:05 <redrobot> #topic Roll Call 20:01:12 <woodster_> o/ 20:01:14 <jkf> o/ 20:01:14 <edtubill> o/ 20:01:14 <diazjf> o/ 20:01:17 <arunkant> o/ 20:01:24 <rellerreller> o/ 20:01:32 <kfarr> o/ 20:01:38 <jhfeng> o/ 20:01:41 <silos> \o/ 20:02:03 <redrobot> woot! 20:02:09 <redrobot> lots of barbicaneers here today 20:02:17 <redrobot> as usual the meeting agenda can be found here: 20:02:20 <redrobot> #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:03:23 <redrobot> #topic Tokyo Summit Recap 20:03:28 <redrobot> #link https://etherpad.openstack.org/p/barbican-m-design-sessions 20:03:33 <redrobot> #link https://etherpad.openstack.org/p/mitaka-barbican-roadmap 20:03:39 <redrobot> #link https://etherpad.openstack.org/p/mitaka-barbican-federation 20:04:26 <redrobot> I think the hottest topic at the Summit was definitely Federation 20:04:39 <redrobot> There was a lot of good discussion 20:04:43 <alee_> o/ 20:06:07 <redrobot> the other big topic was the splitting of CA features into a separate project 20:06:25 <redrobot> but given that nobody is actually willing to do the work, I'm not going to spend any more time talking about it 20:06:55 <rellerreller> :( 20:07:44 <redrobot> we saw an uptick on Barbican interest 20:08:06 <redrobot> also we had a chance to talk to some folks in the Designate team about a new use case for Barbican 20:08:32 <redrobot> and we found out that there's Barbican deployments in the wild :-O 20:09:53 <dave-mccowan> o/ 20:11:03 <redrobot> We also talked about Marshall a bit 20:11:30 <redrobot> and our recommendation to the Marshall contributors is to continue to develop outside of the Barbican or Security projects 20:12:08 <redrobot> anything else I missed that would be worth mentioning? 20:12:32 <dave-mccowan> The Marshall team welcomes all contributors, if anyone wants to be a "founder". ping me and I can get you in touch. :-) 20:13:24 <redrobot> ok, moving on 20:13:27 <rellerreller> redrobot bring your own key was a hot potato 20:13:52 <redrobot> rellerreller yeah, I saw the IBM folks added an agenda item to talk about it in a bit 20:14:07 <redrobot> #topic Substitute PTL 20:14:32 <woodster_> any summary about Anchor and other CMS projects vs barbican CMS? 20:15:01 <redrobot> I'm going to be taking off for about 3 weeks starting Wednesday next week 20:15:13 <redrobot> and I'm looking for someone to chair the Nov 23 and Nov 30 meetings 20:15:20 <redrobot> does anyone want to volunteer? 20:16:19 <redrobot> woodster_ the Security folks agreed it would be good to write up the differences between Anchor, Killick and Barbican, but AFAIK nobody signed up to do it. 20:16:27 <rellerreller> redrobot I don't mind. 20:16:45 <rellerreller> Maybe I should ask what that entails first. 20:17:07 <redrobot> rellerreller basically running this meeting. :) 20:17:26 <rellerreller> That seems easy enough. 20:17:59 <redrobot> rellerreller possibly coordinate the release of MItaka-1 20:18:07 * redrobot checks Mitaka release schedule 20:18:35 <rellerreller> Oh, I don't know much about releasing the software. 20:18:46 <redrobot> Yeah, Mitaka-1 milestone is due on Dec 1-3 20:19:19 <rellerreller> I don't think I'm a good person for that. I don't know anything about that stuff. I can run a meeting easy enough. 20:19:36 <kfarr> redrobot, is it as easy as putting in the merge request for the release team to do it? 20:19:52 <redrobot> kfarr that's a good question... 20:20:05 <redrobot> Historically the Release Manager(s) hang out in #openstack-release 20:20:30 <redrobot> and ping the PTL (or release liaison) to ask if the project is ready for release 20:21:07 <redrobot> kfarr I'll ask if a merge request would be a good way to do a milestone release and get back to you 20:21:29 <kfarr> redrobot ok! 20:21:31 <redrobot> #action redrobot to ask Release Managers if mitaka-1 will be a CR release 20:21:57 <redrobot> #info rellerreller will be meeting chair on Nov 23 and Nov 30 20:22:36 <redrobot> kfarr does that mean you could possibly be the release liaison for mitaka-1 ? :D 20:23:18 <kfarr> redrobot, maybe! I want all the details before I commit 20:23:18 <rellerreller> She did know the right questions to ask. 20:23:39 <redrobot> kfarr hehe, fair enough, I'll have the details for next week's meeting for sure. 20:23:44 <redrobot> ok, moving on 20:23:59 <redrobot> #topic Federation Use Cases 20:24:38 <redrobot> one of the take-aways of the Federation discussions was that we needed more concrete use cases, and both IBM and Rackspace were going to work on getting Use Cases documented 20:24:56 <redrobot> silos diazjf I'm guessing you guys have made some progress on that? 20:25:26 <diazjf> redrobot correct, we created an etherpad as seen here: https://etherpad.openstack.org/p/barbican-federation-use-cases 20:26:15 <edtubill> There are annotations for compliance on the page if anyone wants to check it out. 20:26:45 <redrobot> diazjf awesome, I'll forward this to Joe 20:27:17 <redrobot> A high level summary of the Federation discussions: 20:28:00 <redrobot> We're calling "Federation" the feature of Bring Your Own Key (BYOK) to OpenStack clouds 20:28:13 <redrobot> There's two models we could use 20:28:39 <redrobot> Push Model: Basically a user would send the required key along with the request for an operation that requires the key. 20:28:41 <rellerreller> Is federation really the same thing as bring your own key? 20:30:03 <redrobot> Pull Model: A user would grant access to their device to the cloud. The cloud service that needs a key would reach into the users' device to get the key when needed. 20:30:17 <redrobot> there's advantages and disadvantages to both. 20:30:24 <edtubill> I think BYOK would some how fall under BYOD if you can associate a key on your private device to a resource on the public cloud. 20:30:29 <redrobot> rellerreller arguably they could be different 20:30:55 <redrobot> rellerreller Rackspace is interested in BYOK, and we think Federation may be a way to provide it 20:31:53 <rellerreller> ok. Just raising the question. Don't need an answer now. I'm still trying to organize things in my head. 20:31:55 <redrobot> the interesting thing about BYOK is that both Azure and AWS claim to have it, yet the two are vastly different 20:32:37 <alee_> redrobot, I'd like to see these models fleshed out in a little more detail -- with an example say of retrieving a key for volume encryption 20:32:47 <rellerreller> +1 20:32:50 <redrobot> edtubill that's one way of thinking about BYOK... but if you look at the AWS model, they don't really care whether the user has a device or not... they only care that the user can provide the key when needed. 20:32:54 <alee_> redrobot, right now - all the terms are pretty fuzzy 20:33:24 <alee_> and for the push case, for instance, its not clear to me how barbican need be involved at all .. 20:33:26 <rellerreller> alee_ I agree. I think walking through that use case in particular may prove to eliminate some of the complexities that are being proposed. 20:33:52 <silos> Box also an interesting BYOK model: http://www.infoworld.com/article/2882030/encryption/box-you-can-bring-your-own-keys-to-encrypt-in-our-cloud.html 20:34:18 <woodster_> I recall the push case was probably a no go, as it would require a lot of changes to existing services to support it 20:34:34 <diazjf> rellerreller, redrobot, we can create more detailed use-cases with Models and review them during the next meeting 20:34:40 <woodster_> I agree a detailed set of use case sequences would be helfpule 20:34:46 <woodster_> ...or even helpful 20:34:50 <diazjf> These were just meant to be high-level 20:35:06 <woodster_> diazjf: sounds good 20:35:17 <rellerreller> woodster_ the push model still had significant hurdles. 20:35:39 <redrobot> alee_ agreed. someone did mention that push model would not necessarily need Barbican at all 20:35:50 <rellerreller> woodster_ the biggest one was how to get the key from the service that is invoked with the key to the actual service that does the work. 20:36:24 <rellerreller> redrobot I don't think push or pull model would need to involve Barbican for byok. 20:36:56 <rellerreller> If the key location is stored in metadata then can use Barbican, KMIP, etc. 20:37:10 <redrobot> Our reasoning for wanting Barbican in the mix, is that BYOK In other clouds is putting the burden of key management on the user 20:37:22 <woodster_> rellerreller: I think the linked-secret was required in Barbican? 20:37:33 <redrobot> and Barbican, being a key management service, would help users with that burden 20:38:17 <rellerreller> woodster_ it was proposed as a solution, but we never walked through the sequence of events to prove that it was needed. 20:38:20 <redrobot> woodster_ that was just one possible solution... I'm not convinced linked-type is the only way to achieve BYOK 20:38:50 <rellerreller> Meaning I don't know that it is needed. I think people were solving a problem that did not exist, but I could be wrong. 20:40:14 <alee_> guys, while this is all interesting -- we need to see some sequence diagrams to define the use cases and the actual problems -- it feels like we're going around and around in conversation .. 20:40:55 <redrobot> alee_ :) 20:40:56 * woodster_ maybe we need a special content type to indicate a key is federated? 20:41:15 <woodster_> that was for alee_ :) 20:41:23 <diazjf> woodster_ that was the idea in the proposed links idea. 20:41:29 * alee_ aiming a missile Texas -way .. 20:41:37 <redrobot> hehe 20:41:56 <redrobot> I'll review the use cases that diazjf and edtubill documented 20:42:16 <redrobot> and pass them along to Joe Savak 20:42:36 <redrobot> #action redrobot to review use cases documented by diazjf and edtubill 20:43:02 <redrobot> #action diazjf to document lower-level sequence diagrams 20:43:08 <diazjf> woodster_ rellerreller, see https://etherpad.openstack.org/p/mitaka-barbican-federation at the end. We discussed at the summit that they would effect Castellan 20:43:22 <diazjf> redrobot, you got it! 20:43:27 <rellerreller> How many of these use cases are actual (meaning customers are asking for this) vs. they sound like they could be useful? 20:44:15 <rellerreller> For instance use case 3 of customer scaling? 20:44:59 <edtubill> #1 is the main use case that we want to meet and the other are just for consideration 20:46:13 <rellerreller> edtubill thanks 20:47:59 <redrobot> ok, moving on 20:48:04 <redrobot> #topic Mid-Cycle 20:48:17 <redrobot> We started the mid-cycle conversation at the end of the Summit 20:48:54 <redrobot> as usual, we would like to have the Security and Barbican Mid-cycles in the same place, so that people who are interested in both can plan travel to just one place 20:49:44 <redrobot> but it's always challenging to coordinate 20:50:31 <redrobot> #info the proposed date for the mid-cycle is January 11-15 20:50:47 <redrobot> There's a few options for location 20:51:03 <redrobot> 1. Rackspace Castle in San Antonio, TX 20:51:14 <redrobot> 2. APL in Laurel, MD 20:51:30 <redrobot> 3. HP campus in Seattle, WA 20:53:14 <alee_> redrobot, what happened to RDU? Did you guys decide against that after I left? 20:53:16 <redrobot> I think we have the most Barbican contributors in the San Antonio/Austin area, so my preference would be for #1 20:53:49 <diazjf> redrobot, I'll see if we can get approval for IBM(Austin) to host it 20:54:39 <redrobot> diazjf we had the last mid-cycle in Austin, and since the next summit is in Austin, I was thinking SA would be better.... but I'm not totally opposed to it 20:55:38 <diazjf> diazjf, agreed! I'd like to see the RackSpace Headquarters 20:55:52 <diazjf> redrobot ^ 20:55:57 <redrobot> alee_ I think the Security folks were leaning towards APL or Seattle... I'll float RDU by them though 20:56:33 <alee_> redrobot, just curious thats all .. I remember Raleght being in the mix when I left for the airport 20:56:40 <redrobot> maybe we should set up a Surveymonkey with all locations 20:57:08 <alee_> redrobot, if it isn't , I wont bother looking into permissions to host etc. 20:57:16 <rellerreller> redrobot if APL is chosen then I would need to know soon, so I can try and reserve space. 20:57:25 <redrobot> Mountain View & San Jose were also thrown out there 20:57:55 <rellerreller> Sounds like alee_ has same concerns as me. When were you and Rob planning to make a decision? 20:58:10 <dave-mccowan> oh yea... last word in Tokyo was to try to sync with Rob Clark and the Security Group. He was going to look in to space at HP Seattle for us. 20:58:10 <rellerreller> redrobot ^ is for you. 20:58:22 <redrobot> rellerreller I'm hoping soon... I sent him an email today and am waiting on a reploy 20:58:32 <redrobot> reply even 20:59:35 <dave-mccowan> security group's weekly meeting is on Thursdays, so that's probably the soonest we can get feedback from security project team. 21:00:14 <redrobot> also historically, we've never actually been able to coordinate the joint mid-cycle... :( 21:01:26 <redrobot> aaaand we're way over on time 21:01:35 <redrobot> thanks everyone for coming! 21:01:43 <redrobot> should have more info on mid-cycle next week 21:01:46 <redrobot> #endmeeting